8 Tips for Developing a Security Awareness Program

When you hear the words “information security,” firewalls, antivirus programs, and strong-password requirements may come to mind. But what you might not think about is the one major vulnerability that every security system has: people.

Obviously, people make mistakes and can be manipulated. Some of us don’t always have the best intentions (think: disgruntled ex-employees). Unfortunately, you can’t program people. So, what’s the best way to “patch” this human vulnerability?

Here, we’ll discuss eight tips for developing a security awareness program, so you can help keep your firm’s information safe from “human exploits.”

Strong security starts with policies—the rules that govern what is safe and what isn’t. They should address all the security concerns and practices of your business, including how to dispose of hardware, authenticate a client, and shred documents or CDs. You’ll want to store policies in a place where your staff has access to them at any time. Plus, be sure to give your policies a quarterly or annual review to ensure that they remain relevant.

Keep in mind that the training you provide should enforce the policies you’ve adopted. This will give your staff a reason for why certain practices are followed and give your security awareness program direction.

To be effective, a training plan should address both onboarding training and continual reinforcement. That way, new hires will understand your firm’s security practices from the get-go, and seasoned employees will have the benefit of regular reinforcement of secure habits. Here are a few steps you might take to get started: 

• Write down your goals and how you plan to achieve them.
• Create a calendar of when different phases of your training will take place.
• Share this information with your staff. That way, you’ll demonstrate your commitment to starting and maintaining your awareness program—and everyone will be on the same page.

It could be a client asking for an “urgent” wire transfer. It could be someone from Microsoft informing you that you need to “upgrade” your system. These seemingly legitimate requests tend to catch us off guard.

Scam artists like these (aka social engineers) prey on human weakness. If your firm isn’t prepared for fraudulent phone scams, anyone who answers the call could be the weak link that opens up your business to a breach.

To help defend against phone scams, integrate social engineering prevention into your phone training, or lead a role-playing training session where one person is the con artist and the other is on the receiving end of the call. Plenty of scripts can be found online and in social engineering books.

Did you know that 91 percent of cyber attacks start with phishing (i.e., scam e-mails)? Although there have been advances in spam filters and antivirus software, the most effective means of teaching your staff is to show them real-life examples.

Check your junk folder and share screenshots with staff (on Windows, hit the Print Screen button). Just be sure not to forward the actual e-mail, as that increases the chances of someone clicking on a bad link! You could also turn a slideshow presentation into a game. Ask your staff to spot x number of warning signs—or which e-mails are real or fake. Small rewards can incentivize your staff.

In recent years, various security education software programs have been developed that provide security training content (e.g., interactive games, presentations, and videos). Some programs also include simulated phishing tools, which allow you to generate fake phishing e-mails, send them to your staff, and then generate reports on who clicked and who didn’t. This data can help you get a baseline of your firm’s security awareness, and you can use it again later to evaluate if your training is effective.

Remember: Software cannot replace your plan. It helps provide content, but it’s up to you to make that content fit into your plan.

These days, it’s not hard to find information security news. An RSS feed is a great tool for aggregating various security news sources. When you see something that relates to your practice—whether it’s about software your firm uses or the smartphone a staff member has—share it. You could also compile any major headlines into a monthly or quarterly newsletter. It may start a conversation or alert staff to something they didn’t know. Either way, it will help keep security top of mind without interrupting their workday.

A technical treatise on encryption isn’t going to make an impact. But a funny, one-sentence poster by the coffee machine might actually make a difference. Keep these pointers in mind: 

• Think about ways to make training interactive and engaging.
• Think outside the box.
• Try what hasn’t been tried before—because that’s exactly the kind of thing people are going to remember.

It’s important to know that you’ll likely come across “shock value” material when researching content for your program. Remember, security awareness is not about paranoia. It’s about adopting secure habits so that dealing with these threats becomes second nature. Your tone can make or break your message. Keep it light, informational, and fun.

The last thing you want to do is create “noise” that your staff hears but doesn’t listen to. For example, if you follow Tip #6, don’t share an article every day. Shoot for weekly or monthly—and share only topics that would concern your staff personally.

In a nutshell, the most effective security solution is training. You want your staff to recognize attacks and make the right decisions, but you don’t want to give them so much information that you overwhelm them. Using the tips discussed here, you’ll be on your way to creating and maintaining a steady and effective security awareness program.

What other tips would you recommend for starting a security awareness program? Have you used security education software? Please share your thoughts with us below!